A shift has occurred in the cybercrime world, and it’s one that mobile app owners can’t afford to ignore. Recently, there’s been a sharp increase in app data theft incidents, primarily with the goal of stealing credentials and gaining access to bank accounts, credit cards, and gift vouchers.
With the rising prevalence of vulnerabilities and attack vectors, consumer app owners have no choice but to immediately consider app protection solutions. The question is, how urgent is this exactly?
Well, in 2014, Kaspersky Lab and Interpol created a joint study to investigate mobile cyber threats. During the course of one year, they discovered that the mobile devices of over one million users were compromised – by over three million attacks! The research also uncovered that the number of monthly attacks on devices increased from 60,000 to 644,000 in 2014.
Why Are Mobile Devices Such a Target of Cybercrime?
When we consider just how dependent consumers have become on mobile apps, it’s clear there’s no going back. Mobile consumer behavior poses a significant obstacle to app security, stemming first and foremost from a lack of awareness regarding the risks of app data theft.
Consumers continuously download apps from multiple sources, connect to public Wi-Fi hotspots they don’t bother verifying, and regularly leave their devices vulnerable to theft. Let’s take a closer look at the implications of these actions on mobile security:
When downloading apps, consumers are oblivious to the fact that they often contain Trojans designed to steal credentials and sensitive personal data. During Kaspersky and Interpol’s 12-month study, mobile banking Trojans increased to 5000 in 2014, up from just a few hundred in 2013.
The most concerning finding is that over half of the malware created was aimed at stealing funds, and roughly 500,000 users had experienced a mobile malware attack at least once.
It’s not uncommon for mobile users to execute multiple financial transactions – often for considered purchases, while using a public Wi-Fi connection and leaving their devices vulnerable to a cyber attack.
For example, in May of 2015, it was discovered that the Starbucks’ app and its gift cards were exposed to vulnerabilities that left customers wide open to data theft. Starbucks offers free Wi-Fi in all of its stores, and hackers were leveraging this to gain access to customers who were using the store’s apps to pay for their purchases. Also, Starbucks’ payment apps were tied to credit cards with an auto refill feature.
Once a customers’ credit card was accessed, hackers added funds to their Starbucks’ accounts – only to pull them out after the fact. While Starbucks attempted to compensate for the problem by offering gift cards in the amount that was stolen, certain customers found they still had to dispute the charges with their credit card providers – which is often a long, aggravating process.
Operating System Vulnerabilities
With critical device vulnerabilities frequently being discovered (read about Stagefright here), Android operating systems are increasingly becoming the facilitator of app data theft and cyber attacks. iOS isn’t without it’s vulnerabilities either; two months ago in June, researchers found security holes which let a malicious app steal passwords from Apple’s Keychain and other apps once exploited.
Understanding the flaws inherent to each unique operating system for which an app is developed is essential to optimizing mobile security. With no “centralized IT group” to identify or prevent such vulnerabilities, consumers have to go it alone in the hopes that app owners have taken necessary measures to ensure their data protection.
Lost or Stolen Devices
Mobile devices are lost or stolen due to their owner’s carelessness; based on IDG Research, half of those surveyed admitted to having left their device in a public place, only to have it taken.
More often than not, today’s consumers store financial data, contacts, emails with personal information, and usernames and passwords for all of their accounts on their mobile phones. If a thief hacks into a stolen smartphone, it’s like having the equivalent of an all-access-pass to his or her identity.
Even if a number of mobile app vulnerabilities are non-code related, this doesn’t mean that app owners aren’t ultimately responsible for protecting their customers from potential exposure.
While consumers are quickly gaining awareness of the threat landscape at large, from reading the news or even watching the latest tech thrillers – at the end of the day, chances are they’ll place the blame squarely on the shoulders of the app provider if anything happens.
Once burned, confidence is lost and consumers will take their business elsewhere.
What many fail to realize is that tried-and-true best practices and secure coding standards are insufficient. App owners can’t continue to rely on device or OS-level protections, and must go beyond basic measures to protect consumer apps from threats that may seem beyond their control.
Without a comprehensive security solution, such as Appdome, app owners cannot adequately protect consumers against credential theft and data leakage. If consumer protection is not a priority, enterprises should be prepared to lose consumers in the event that such a compromise occurs. Learn more on how to protect your mobile apps from this Developers Guide for Mobile App Security.
Thanks for reading! This blog is part of a series focused on Mobile Security Basics, which is appropriate for readers of any level looking to increase their overall mobile security knowledge.